20170324 Adium Bug

DESCRIPTION

A BUG HAS BEEN DISCOVERED IMPACTING THE INSTANT MESSAGING LIBRARY "LIBPURPLE". THIS BUG ALLOWS REMOTE EXECUTION OF CODE WITHIN LIBPURPLE VIA MECHANISMS TO BE DESCRIBED IN CVE-2017-2640. ADIUM MAINTAINERS HAVE BEEN INFORMED BUT NO RESPONSE HAS BEEN RECEIVED. ADVISE ALL USERS TO CEASE USING ADIUM UNTIL FURTHER NOTICE.

WATCHES AND WARNINGS

ALL RECIPIENTS RUNNING ANY VERSION OF THE ADIUM EXECUTABLE ON MACINTOSH OPERATING SYSTEMS ARE AFFECTED

DISCUSSION

According to a message posted to the Full Disclosure mailing list on March 20, 2017, Adium maintainers were contacted related to a security bug in libpurple, assigned CVE-2017-2640 (which is not public at this time). The maintainers of Adium have not yet responded to the notification. All versions of Adium are therefore considered insecure until an update is issued.